Incident Response for Targeted attacks

Jose Ramon Palanco

about:

Jose Ramon PalancoFrom SpainSecurity Researcher+10 years experience

SOC: What does SOC stand for?

A security operations center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data processing technology.

SOC

SOC Organization

● SOC Manager● Intelligence Team Leader● Operations Team Leader● Tier 3 / Security Engineer● Tier 2● Tier 1

SOC Incident types

● Denial of Service● Unauthorized access● Vulnerability identification● Hacker activity● Data loss● Malicious software activity

SOC Tools

● Endpoint Security (Antivirus/DLP/..)● Network Security (IDS/IPS/Firewalls/..)● Malware Sandbox● SIEM● Ticketing system

SOC Methodolody

DataFlow: logs > events > alerts > incidents

WorkFlow: incident > ticket > analysis/scale

SIEM

● Security Information and Event Manager● Sometimes SIM or SEM● SIEM is not just Log Management

SIEM

● Relevant log collection● Aggregation● Normalization● Retention Analysis (correlation &

prioritization)● Presentation (Reporting & Visualization)● Workflow

SIEM: logs

Aug 18 20:22:31 server sshd[1891]: error: PAM: authentication error for root from localhost via 127.0.0.1

SIEM: logs

Date: Aug 18 20:22:31Server: server Service/Process: sshd[1891]: Error: PAM Authentication error for root from localhost Details: via 127.0.0.1

SIEM: Event Correlation Rules

● Repetition Rules● Combination Rules● Missing Recurrence Rules

Arcsight

ArcSight Enterprise Security Manager (ESM)ArcSight ExpressArcSight Logger

Arcsight

Arcsight: CEF

The Common Event Format (CEF) is an open log management standard.

It supports over 275 products across more than 35 solution categories.

Arcsight: CEF

CEF:0|Trend Micro Inc.|OSSEC HIDS|v2.5.1|5302|\ User missed the password to change UID to root.|9|dvc=ubuntusvr \ cs2=ubuntusvr->/var/log/auth.log cs2Label=Location src= suser=root \ msg=May 11 21:16:05 ubuntusvr su[24120]: - /dev/pts/1 xavier:root

Arcsight: Smart Connectors

SmartConnectors provides source-optimized collection for leading security commercial products:● Operating Systems, Apps, ..● Antivirus, DLP, ..● Firewalls, IPS, IDS, ..● ...

Arcsight: Logger

● Collect logs● Unify the data into CEF● Search through millions of events● Store years' worth of logs and events● Automate analysis, alerting, reporting,

intelligence of logs and events for IT security, IT operations, IT GRC and log analytics

Arcsight: Manager (ESM)

● A cost-effective solution for all your regulatory compliance needs

● Automated log collection and archiving● Fraud detection● Real-time threat detection● Forensic analysis capabilities for

cybersecurity

Arcsight ESM Console

Alienvault OSSIM

● Open Source SIEM (GPL)● Version 5.0 released on April 20, 2015● Based on third party Open Source projects

Alienvault OSSIM

Alienvault OSSIM Components

● PRADS: passive identification of hosts● OpenVAS: vulnerability scanner● Snort/Suricata: IDS/IPS● Tcptrack: session data information● Nagios: monitoring● OSSEC: HIDS● FProbe, NFSen/NFDump: NetFlow Analysis

Reversing

Is the study of a malware by dissecting its different components and studying its behavior on the host computer's operating system.

Reversing: Static Analysis

● Strings● Yara rules● IAT/imphash● IDA Pro● UPX, Bytehist, Density Scout, PackerID● Signsrch, pescanner, ExeScan, pev,

Peframe, pedump

Reversing: IDA Pro

Reversing: Dynamic Analysis

● OllyDBG● WinDBG● Cuckoo Sandbox

Reversing: OllyDBG

IoC

Indicator of compromise (IOC) are artifacts observed on a network or in an operating system that with high confidence indicates a computer intrusion (ip, hash, ip, host, ..)

Standards: openioc, stix, snort, yara

OpenIOC

OpenIOC

Investigate:https://www.mandiant.com/resources/download/redlineClient/Server:https://github.com/jeffbryner/pyiocWeb Editor:http://bluecloudws.github.io/ioceditor/

Snort

● Snort is a free and open source IDS● Considered the de facto standard● Modes:

○ Sniffer○ Packet logger○ Network intrusion detection

Snort rule

Suricata

Suricata is a snort compatible IDS.Main features:● Multi-threading ● Lua scripting● GPU (Graphics card) acceleration● HTTP log module● Fast IP matching

Yara

“YARA is to files what Snort is to network traffic.” -- Victor Manuel Alvarez, Yara Developer

Yara

With YARA you can create rules of malware families based on textual or binary patterns.

Each rule, consists of a set of strings and a boolean expression which determine its logic.

Yara rule

ELK

● Elasticsearch for deep search and data analytics

● Logstash for centralized logging, log enrichment and parsing

● Kibana for powerful and beautiful data visualizations

ELK

Cuckoo Sandbox

● Native functions and Windows API calls traces

● Copies/created/deleted files from the filesystem

● Dump of the memory of the selected process● Full memory dump of the analysis machine● Screenshots ● Network dump

Cuckoo sandbox

El Jefe

EL JEFE is a Free situational awareness tool for securing organizations by making locating and responding to advanced threats by looking at what processes are started on your machine, and gathering that data for your entire Enterprise in a database.

El Jefe

GRR

● GRR is an Incident Response Framework focused on Remote Live Forensics.

● The disk and file system analysis capabilities are provided by the sleuthkit and pytsk projects.

● The memory analysis and acquisition capabilities are provided by the rekall project.

GRR

Virustotal

VirusTotal is a website, originally developed by Hispasec, that provides free checking of files for viruses. It uses up to 54 different antivirus products and scan engines to check for viruses that the user's own antivirus solution may have missed, or to verify against any false positives.

Dinoflux

● IoC in different formats○ snort○ suricata○ arcsight

● Cyber Intelligence Database○ hash○ ip/host○ history

APT

An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT usually targets organizations and/or nations for business or political motives.

HAVEX: A targeted attack

1. Received suspicious file2. Executed inside cuckoo with SCADA tools3. Report reveals OPC communications4. Perform Dynamic/Static analysis5. Report